I'm managing a bunch of IIS 8.5 servers and I'm working on complying with security baselines.
My question is this: If I run a specific appcmd
query on one of our IIS servers, I get the following:
C:\>appcmd list config -section:system.web/authentication
<system.web>
<authentication mode="Forms">
<forms requireSSL="true">
<credentials>
</credentials>
</forms>
<passport />
</authentication>
</system.web>
C:\>
What I need to do is find the actual configuration file that appcmd
is reading from here, so I can update the relevant section manually (updating using appcmd
itself causes all kinds of problems). I can't find it. I've checked the following files so far:
- %SYSTEMROOT%\System32\inetsrv\config\applicationHost.config
- %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
- %SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\Config\web.config
- %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
- %SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config
- %WEBROOT%\web.config
- %WEBROOT%\old application path\web.config
- new application path\web.config
I can't think of any other places to look. Most of those files don't even have a <system.web>
section and none of them have the word "credentials" in them anywhere.
Where is appcmd
reading from to generate the output above?
Edit:
I'm still looking into this, and just found the following here, which might be the answer:
Default Configuration
The following default credentials element is not explicitly configured in the Machine.config or root Web.config file. However, it is the default configuration that is returned by the application.
<credentials passwordFormat="SHA1" />
Check:
System.web is a dot.NET setting, so it should be in the global web.config file, it seems it is only in the 64bit version, not the 32bit framework.